Back to Posts

Defense Contractor Fined for Cyber Failures

Nov. 24, 2025

Gavel and legal documents representing False Claims Act enforcement for cybersecurity violations

A Massachusetts defense contractor recently agreed to pay $4.6 million to settle allegations it violated the False Claims Act by failing to meet cybersecurity requirements in contracts with the Army and Air Force. The case against MORSECORP Inc. serves as a stark warning for defense industrial base contractors about the financial and legal consequences of cybersecurity compliance failures.

What Happened at MORSECORP

Between January 2018 and February 2023, MORSECORP submitted payment claims to the Department of Defense while knowing it had failed to implement required cybersecurity controls. The company admitted to multiple critical failures that left sensitive defense information vulnerable to exploitation.

The most damaging revelation came in July 2022 when a third-party cybersecurity consultant informed MORSECORP its actual NIST Special Publication 800-171 implementation score was negative 142. This was drastically different from the score of 104 the company had self-reported to the Department of Defense in January 2021. The consultant found roughly 78% of required controls were either not implemented or only partially implemented.

Despite receiving this assessment, MORSECORP waited nearly a year to update its score in the Supplier Performance Risk System (SPRS). The update finally came in June 2023, three months after the United States served the company with a subpoena concerning its lax cybersecurity practices.

Understanding NIST SP 800-171 Requirements

NIST Special Publication 800-171 establishes security requirements for protecting Controlled Unclassified Information in nonfederal systems. Defense contractors were required to implement all 110 security controls by December 31, 2017. These controls cover everything from access control and incident response to system security planning and media protection.

The MORSECORP case highlights several specific violations that contractors must avoid. From January 2018 to September 2022, the company used a third-party email hosting service without ensuring it met Federal Risk and Authorization Management Program Moderate baseline requirements. This meant sensitive defense communications lacked adequate security protections for years.

Additionally, MORSECORP operated without consolidated system security plans from January 2018 to January 2021. These plans are fundamental documents that describe system boundaries, operating environments, security implementation details, and connections to other systems. Operating without them represents a fundamental breakdown in cybersecurity governance.

The Growing Enforcement Landscape

The Department of Justice has made clear that cybersecurity compliance violations will be treated as False Claims Act matters. This means contractors who submit payment requests while knowing they have not met contractual cybersecurity requirements face significant legal exposure beyond just fixing the technical problems.

The MORSECORP settlement included $2.3 million in restitution, demonstrating that courts view these violations as causing actual financial harm to the government. The case also resulted in a whistleblower receiving $851,000, incentivizing employees and industry insiders to report compliance failures.

This enforcement approach reflects the government's recognition that inadequate cybersecurity in the defense industrial base represents a national security threat. When contractors fail to protect Controlled Unclassified Information, they create vulnerabilities that adversaries can exploit to access sensitive defense technology, operational plans, and research data.

The Path to CMMC Compliance

The Cybersecurity Maturity Model Certification program builds directly on the lessons of cases like MORSECORP. CMMC requires independent third-party assessment of cybersecurity implementations rather than relying solely on contractor self-assessments. This addresses the exact problem that occurred when MORSECORP self-reported a score of 104 while actually operating at negative 142.

CMMC assessments verify that contractors have not just documented policies but have actually implemented effective security practices across their information systems. Assessors examine technical configurations, interview personnel, and review artifacts to confirm controls function as intended.

For contractors currently working toward CMMC certification, the MORSECORP case offers clear guidance on what not to do. Waiting until a subpoena arrives to correct inaccurate compliance reporting creates both legal liability and reputational damage. Contractors must conduct honest gap assessments, address deficiencies proactively, and report accurate scores even when the results are unfavorable.

Critical Compliance Elements

Several specific requirements from the MORSECORP case deserve particular attention from defense contractors. Third-party cloud service providers must meet FedRAMP Moderate baseline requirements when processing, storing, or transmitting Controlled Unclassified Information. Contractors cannot simply pass security responsibility to vendors without verifying compliance.

System security plans are non-negotiable foundational documents. Every information system that processes defense information requires a written plan describing boundaries, security implementations, and system connections. These plans provide the roadmap for both implementing security and demonstrating compliance to auditors.

Accurate self-assessment scoring matters tremendously under the current DFARS requirements and will remain important as CMMC fully implements. The NIST SP 800-171 assessment methodology produces scores ranging from negative 203 to 110. A score of negative 142, as MORSECORP actually had, indicates fundamental security deficiencies that require immediate remediation.

Working With a Registered Practitioner Organization

The complexity of cybersecurity compliance requirements makes working with experienced professionals essential for defense contractors. STACK Cybersecurity operates as a CMMC Third Party Assessor Organization and Registered Practitioner Organization, providing the expertise contractors need to achieve and maintain compliance.

Our team helps contractors conduct thorough gap assessments that identify actual implementation deficiencies rather than just documenting policies. We work with companies to develop realistic remediation plans, implement technical controls, and prepare for formal assessments. This preparation prevents the situation MORSECORP faced when a consultant revealed the true state of its cybersecurity program.

As a Registered Practitioner Organization, STACK brings deep knowledge of both NIST SP 800-171 requirements and CMMC assessment processes. We help contractors understand exactly what assessors will examine, how to document implementations effectively, and how to maintain compliance over time as threats and requirements evolve.

Beyond Compliance to Security

While the MORSECORP case centered on compliance failures, the underlying issue was inadequate security that left defense information vulnerable. Contractors must remember that cybersecurity requirements exist to protect sensitive information from real threats, not simply to check regulatory boxes.

Effective cybersecurity programs treat compliance as the foundation rather than the destination. Meeting NIST SP 800-171 requirements and achieving CMMC certification demonstrate baseline competency. Building truly resilient security requires continuous monitoring, regular assessments, prompt incident response, and adaptation to emerging threats.

Defense contractors handle information that adversaries actively target. Foreign intelligence services, cybercriminal organizations, and other threat actors specifically focus on the defense industrial base to steal technology, understand capabilities, and compromise supply chains. Contractors with inadequate security become the weak links that adversaries exploit.

The Cost of Noncompliance

MORSECORP's $4.6 million settlement represents just the direct financial penalty. The company also faces indirect costs including legal fees, consultant expenses, reputation damage, and potential loss of future contracts. The Army Criminal Investigation Division, Air Force Office of Special Investigations, and Defense Criminal Investigative Service all participated in the investigation, indicating the seriousness with which the Department of Defense treats these violations.

Beyond financial penalties, contractors face suspension and debarment proceedings for serious compliance failures. Being excluded from federal contracting can destroy companies that depend on defense work. Even after resolving legal matters, contractors may find customers reluctant to share sensitive information or award new contracts due to past security failures.

The whistleblower provisions of the False Claims Act create additional risk for noncompliant contractors. Employees, consultants, and business partners who become aware of compliance failures have financial incentive to report them. The $851,000 whistleblower payment in the MORSECORP case demonstrates that these rewards can be substantial.

Taking Action Now

Defense contractors cannot afford to wait for subpoenas or whistleblower complaints to address cybersecurity deficiencies. The time to act is now, before problems escalate into legal matters.

Start with an honest assessment of your current cybersecurity posture. Engage qualified third-party assessors to evaluate your implementations against NIST SP 800-171 requirements and identify gaps. Document findings thoroughly and develop realistic remediation timelines.

If your assessment reveals deficiencies, report accurate scores to the Department of Defense immediately. The MORSECORP case shows that delaying corrections after learning about problems significantly increases legal exposure. Demonstrating good faith efforts to identify and address issues proactively provides far better legal footing than trying to hide problems.

STACK Cybersecurity helps defense contractors navigate the complex requirements of NIST SP 800-171 and CMMC. Our team of experienced practitioners provides gap assessments, remediation support, and preparation for formal certification. We work with companies of all sizes to build security programs that protect sensitive information and satisfy regulatory requirements.

Contact Us today to discuss your business cybersecurity needs. Our Registered Practitioner Organization (RPO) status and deep Department of Defense experience make us the right partner for defense contractors committed to meeting cybersecurity requirements. Don't let your company become the next compliance enforcement case study.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment